How to detect negative number assigned to size_t?

Camille Goudeseune picture Camille Goudeseune · Mar 29, 2013 · Viewed 7.6k times · Source

This declaration compiles without warnings in g++ -pedantic -Wall (version 4.6.3):

std::size_t foo = -42;

Less visibly bogus is declaring a function with a size_t argument, and calling it with a negative value. Can such a function protect against an inadvertent negative argument (which appears as umpteen quintillion, obeying §4.7/2)?

Incomplete answers:

Just changing size_t to (signed) long discards the semantics and other advantages of size_t.

Changing it to ssize_t is merely POSIX, not Standard.

Changing it to ptrdiff_t is brittle and sometimes broken.

Testing for huge values (high-order bit set, etc) is arbitrary.

Answer

Chris Dodd picture Chris Dodd · Mar 29, 2013

The problem with issuing a warning for this is that it's not undefined behavior according to the standard. If you convert a signed value to an unsigned type of the same size, you can later convert that back to a signed value and get the original value on any standards-compliant compiler.

In addition, using negative values converted to size_t is fairly common practice for various error conditions -- many system calls return an unsigned (size_t or off_t) value for success or a -1 (converted to unsigned) for an error. So adding such a warning to the compiler would cause spurious warnings for much existing code. POSIX attempts to codify this with ssize_t, but that breaks calls that may be successful with a return value greater than the maximum signed value for ssize_t.